Simple Proofs of Sequential WorkBram Cohen Krzysztof Pietrzak
Eurocrypt 2018, Tel Aviv, May 1st 2018
Outline• What• How• Why
Proofs of Sequential Work
Sustainable Blockchains
Sketch of Construction & Proof
Outline• What• How• Why
Proofs of Sequential Work
Sustainable Blockchains
Sketch of Construction & Proof
Outline• What• How• Why
Proofs of Sequential Work
Sustainable Blockchains
Sketch of Construction & Proof
Outline• What• How• Why
Proofs of Sequential Work
Sustainable Blockchains
Sketch of Construction & Proof
σi τi
βi
σi+1 τi+1
βi+1
αi αi+1
Proofs of Sequential Work
puzzle: (N = p · q, x, T ) , solution: x2T
mod Nsolution computed with two exponentiation given p, q:
e← 2T mod φ(N) , x2T
= xe mod N
conjectured to require T sequential squarings given only N
x→ x2 → x22 → . . . x2
T
mod N
puzzle: (N = p · q, x, T ) , solution: x2T
mod N
sequential computation ∼computation time ⇒
“send message to the future”
solution computed with two exponentiation given p, q:
e← 2T mod φ(N) , x2T
= xe mod N
conjectured to require T sequential squarings given only N
x→ x2 → x22 → . . . x2
T
mod N
PoSW vs. Time-Lock Puzzles
• Prove that time has passed⇒ Non-interactive time-stamps
• Send message to the futureFunctionality
PoSW vs. Time-Lock Puzzles
• Prove that time has passed⇒ Non-interactive time-stamps
• Send message to the future
• Random oracle model or“sequential” hash-function
• Non-standard algebraicassumption
Functionality
Assumption
PoSW vs. Time-Lock Puzzles
• Prove that time has passed⇒ Non-interactive time-stamps
• Send message to the future
• Random oracle model or“sequential” hash-function
• Non-standard algebraicassumption
Functionality
Assumption
Public vs. Private• Public-coin ⇒
Publicly verfiable• Private-coin ⇒
Designated verifier
Proofs of Sequential Workaka. Verifiable Delay Algorithm
Prover Pχ←
Verifier Vstatement χ
Time T ∈ N
Proofs of Sequential Workaka. Verifiable Delay Algorithm
τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject
Prover Pχ←
Verifier Vstatement χ
Time T ∈ N
Proofs of Sequential Workaka. Verifiable Delay Algorithm
τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject
Completeness and Soundness in the random oracle model:
HProver Pχ←
Verifier Vstatement χ
Time T ∈ N
Proofs of Sequential Workaka. Verifiable Delay Algorithm
τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject
Completeness and Soundness in the random oracle model:
HProver Pχ←
Verifier Vstatement χ
Time T ∈ N
Completeness: τ(c, T ) can be computed making T queries to H
Soundness: Computing any τ ′ s.t. verify(χ, T, τ ′) =accept forrandom χ requires almost T sequential queries to H
Proofs of Sequential Workaka. Verifiable Delay Algorithm
τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject
Completeness and Soundness in the random oracle model:
HProver Pχ←
Verifier Vstatement χ
Time T ∈ N
Completeness: τ(c, T ) can be computed making T queries to H
Soundness: Computing any τ ′ s.t. verify(χ, T, τ ′) =accept forrandom χ requires almost T sequential queries to Hmassive parallelism useless to generate valid proof faster ⇒prover must make almost T sequential queries ∼ T time
Three Problems of the [MMV’13] PoSW1) Space Complexity : Prover needs massive (linear in T)
space to compute proof.2) Poor/Unclear Parameters due to usage of sophisticated
combinatorial objects.3) Uniqueness : Once an accepting proof is computed, many
other valid proofs can be generated (not a problem fortime-stamping, but for blockchains).
Three Problems of the [MMV’13] PoSW1) Space Complexity : Prover needs massive (linear in T)
space to compute proof.2) Poor/Unclear Parameters due to usage of sophisticated
combinatorial objects.3) Uniqueness : Once an accepting proof is computed, many
other valid proofs can be generated (not a problem fortime-stamping, but for blockchains).
1) Prover needs only O(log(T )) (not O(T )) space, e.g. forT = 242 (≈ a day) that’s ≈ 10KB vs. ≈ 1PB.
2) Simple construction and proof with good concreteparameters.
3) Awesome open problem!
New Construction
Construction and Proof Sketch
Three Basic Concepts
DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.
1 2 3 4 5 6
Depth-Robust Graphs (only [MMV’13])
Three Basic Concepts
DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.
1 2 3 4 5 6
Depth-Robust Graphs (only [MMV’13])
is (2, 3) depth-robust
Three Basic Concepts
DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.
1 2 3 4 5 6
Depth-Robust Graphs (only [MMV’13])
label `i = H(`parents(i)), e.g. `4 = H(`3, `4)
Graph Labelling
Three Basic Concepts
x y
H H
x′y′
queries y = H(x), y′ = H(x′) wherey ⊆ x′ ⇒ query x′ was made after x
Random Oracles are Sequential
DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.
1 2 3 4 5 6
Depth-Robust Graphs (only [MMV’13])
label `i = H(`parents(i)), e.g. `4 = H(`3, `4)
Graph Labelling
Three Basic Concepts
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
1 2 3 4 5 6
• Protocol specifies depth-robustDAG G on T nodes
• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
• Protocol specifies depth-robustDAG G on T nodes
• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)
• Compute labels of G using Hχ
`1 `2 `3 `4 `5 `6
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
• Protocol specifies depth-robustDAG G on T nodes
• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)
• Compute labels of G using Hχ
`1 `2 `3 `4 `5 `6
• Send commitment φ to labels to Vφ
φ
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
• Protocol specifies depth-robustDAG G on T nodes
• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)
• Compute labels of G using Hχ
`1 `2 `3 `4 `5 `6
• Send commitment φ to labels to Vφ
φ
• V challenged to open random subset of nodes and parents(interaction can be removed using Fiat-Shamir)
c ⊂ Vopen {`i}i∈c∪i∈parents(i)
check openings andif labels consistentwith parent labels
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
φ
`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))
Proof Sketch
φ
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
φ
`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))
Proof Sketch
φ
• Case 1: ≥ e bad nodes ⇒ will fail opening phase whp.
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
φ
`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))
Proof Sketch
φ
• Case 1: ≥ e bad nodes ⇒ will fail opening phase whp.• Case 2: Less than e bad labels ⇒ ∃ path of good nodes
(by (e, d) depth-robustness) ⇒ P̃ made d sequentialqueries (by sequantality of RO)
The New ConstructionT = 15
The New Construction
For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root
T = 15
The New Construction
For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root
right siblingT = 15
left sibling
The New Construction
For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root
T = 15
The New Construction
For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root
`1 `2
`3
`14
`15
• P computes labelling `i = H(`parents(i)) and sends rootlabel φ = `T to V. Can be done storing only log(T ) labels.
T = 15
• V challenges P to open a subset of leaves and checksconsistency (blue and green edges!)
The New Construction
For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root
`1 `2
`3
`14
`15
• P computes labelling `i = H(`parents(i)) and sends rootlabel φ = `T to V. Can be done storing only log(T ) labels.
T = 15
• V challenges P to open a subset of leaves and checksconsistency (blue and green edges!)
PKC’00
The New Construction
Proof Sketch
φ T = 15
The New Construction
Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).
φ T = 15
The New Construction
Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.
φ T = 15
The New Construction
Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).
φ T = 15
The New Construction
Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).
• Claim 1: ∃ path going through V − S.
• Claim 2: P̃ can’t open |S|/T fraction of leafs.
φ T = 15
The New Construction
Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).
• Claim 1: ∃ path going through V − S.
• Claim 2: P̃ can’t open |S|/T fraction of leafs.
Theorem: P̃ made only T (1− ε) sequential queries⇒ will pass opening phase with prob. ≤ (1− ε)#of challenges
φ T = 15
why we care
Sustainable Blockchains
σi τi
βi
σi+1 τi+1
βi+1
αi αi+1
Mining Bitcoin (Proofs of Work)
Mining Bitcoin (Proofs of Work)
Ecological: Massive energy & hardwarewaste.
Economical: Requires high rewards ⇒inflation and/or high transaction fees.
Security: E.g. buy old ASICs for 51%attack.
Ecological: Massive energy & hardwarewaste.
Economical: Requires high rewards ⇒inflation and/or high transaction fees.
Security: E.g. buy old ASICs for 51%attack.
Can we have a more “sustainable”
Blockchain?
dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes
Bitcoin: Proofs of Workcomputation as resource
prob. of solving PoW first ∼ fraction of hashing power
dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes
Bitcoin: Proofs of Work
Chia: Proofs of Space and Time
computation as resourceprob. of solving PoW first ∼ fraction of hashing power
dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes
Bitcoin: Proofs of Work
Chia: Proofs of Space and Timespace as resource
prob. of finding PoSpace of best quality ∼ fraction ofdedicated space
computation as resourceprob. of solving PoW first ∼ fraction of hashing power
dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes
Bitcoin: Proofs of Work
Chia: Proofs of Space and Timespace as resource
prob. of finding PoSpace of best quality ∼ fraction ofdedicated space
dynamicsRun PoSW on top of PoSpace for T ∼ quality of PoSpace to
“finalize” block
computation as resourceprob. of solving PoW first ∼ fraction of hashing power
βi = (. . . , φi, αi)
φi : proof of work on challenge hash(βi−1) transactions
βi βi+1 βi+2 βi+3 βi+4
βi = (. . . , φi, αi)
φi : proof of work on challenge hash(βi−1) transactions
σi τi σi+1 τi+1 σi+2 τi+2
σi : proof of space on challenge hash(τi−1)
τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)
βi βi+1 βi+2 βi+3 βi+4
βi = (. . . , φi, αi)
φi : proof of work on challenge hash(βi−1) transactions
σi τi σi+1 τi+1 σi+2 τi+2
αi αi+1 αi+2
σi : proof of space on challenge hash(τi−1)
τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)
βi βi+1 βi+2 βi+3 βi+4
βi = (. . . , φi, αi)
φi : proof of work on challenge hash(βi−1) transactions
σi τi σi+1 τi+1 σi+2 τi+2
αi αi+1 αi+2
σi : proof of space on challenge hash(τi−1)
τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)
βi βi+1 βi+2 βi+3 βi+4
NOTHING TOGRIND HERE!